8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e

General

Target

8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
Size

287KB
MD5

66d4d58fa5502e4b57eea77d7d71bcc0
SHA1

02cef59d341a49f405204df9464e77bab0decb2c
SHA256

8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e
SHA512

dbcada6297b1f02d032bcef3f42513fc8f1069f9eb3448824fe4436efadb02d9148d8adc6ff426f5d195d56e948ddfb5e0b3d1de306dc74658601f842c014cd9
SSDEEP

6144:YMWFvYVkNvWQPiOwuRKzBhECcPKb/tCHiv46:YqVg+QaCC+Paf46

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

bootres.exeSharedReg.exe

pid process

1872 bootres.exe
1628 SharedReg.exe
Loads dropped DLL 2 IoCs

Processes:

8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exebootres.exe

pid process

1012 8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1872 bootres.exe

pid	process
1872	bootres.exe
1628	SharedReg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bootres.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot Resource Library = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\bootres.exe"	bootres.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exeSharedReg.exe

description	pid	process	target process
PID 1012 set thread context of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1628 set thread context of 276	1628	SharedReg.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371482179"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000002b262e25afa6f211d0b8243f8d9d22b48b1317c87c29861be11dc3684a80b731000000000e80000000020000200000007d8c92661b84d68034182f7a930d6d57777be59ee21f3c70b3c8cd05d137127d20000000a85283a02f4eb11df79978b53eb80d7743a142b63f43ccc635f04126c2ab89b140000000219221d1159cf211210c5380c9355cf98680e2d1949ee1a861c1229464268e246381d38d3e2c79db5ad971ae1144cee05ce36b1d49935248b6192fc953d50a8c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000361f469c0056c9046f10618cdc84238d496acb1a4f831391a375b82c9866c0fc000000000e800000000200002000000083aa603bf4c4112381a8bc077a3e9ef21809f780effbdca63d631e844953b2e6900000005bc0f44d963ef4c8276ed8bf9769e0cb5dab012032f85188b71df28d81672d11b30e01636e153e6bb918aeba8036b8dbb1e73203de1b5d395ecc900cac352b6ed5963ad49600b57f3efc916f2f19009406593aca5b6f56c0dddb65a0eb5e0b916c27c4e9e0116d66bf869dbe9780c2007cf8946e6fae9f2d8dfbc54865960e04cebf4933862de6736a78a322f005305440000000f3248fea88c40382a339fd7316c6377d7298215a88bb39ea908817fa90803a974f8054fe75b5f20c77ceb6a4b6e8d6c8e729714499657e08ed9fae3125f5f71c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403815a562d6d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB480141-4255-11ED-8B55-6651945CA213} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exebootres.exeSharedReg.exe

pid	process
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1872	bootres.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1628	SharedReg.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1872	bootres.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1872	bootres.exe
1628	SharedReg.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1872	bootres.exe
1628	SharedReg.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1872	bootres.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1872	bootres.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1872	bootres.exe
1628	SharedReg.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1872	bootres.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe
1872	bootres.exe
1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
1628	SharedReg.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exebootres.exeSharedReg.exe

description	pid	process
Token: SeDebugPrivilege	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
Token: 33	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
Token: SeIncBasePriorityPrivilege	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
Token: SeDebugPrivilege	1872	bootres.exe
Token: SeDebugPrivilege	1628	SharedReg.exe
Token: 33	1628	SharedReg.exe
Token: SeIncBasePriorityPrivilege	1628	SharedReg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

576 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid process

576 iexplore.exe
576 iexplore.exe
980 IEXPLORE.EXE
980 IEXPLORE.EXE
1228 IEXPLORE.EXE
1228 IEXPLORE.EXE
1228 IEXPLORE.EXE
1228 IEXPLORE.EXE

pid	process
576	iexplore.exe

pid	process
576	iexplore.exe
576	iexplore.exe
980	IEXPLORE.EXE
980	IEXPLORE.EXE
1228	IEXPLORE.EXE
1228	IEXPLORE.EXE
1228	IEXPLORE.EXE
1228	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exeAppLaunch.exeiexplore.exebootres.exeSharedReg.exe

description	pid	process	target process
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1348	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	AppLaunch.exe
PID 1012 wrote to memory of 1872	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	bootres.exe
PID 1012 wrote to memory of 1872	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	bootres.exe
PID 1012 wrote to memory of 1872	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	bootres.exe
PID 1012 wrote to memory of 1872	1012	8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe	bootres.exe
PID 1348 wrote to memory of 576	1348	AppLaunch.exe	iexplore.exe
PID 1348 wrote to memory of 576	1348	AppLaunch.exe	iexplore.exe
PID 1348 wrote to memory of 576	1348	AppLaunch.exe	iexplore.exe
PID 1348 wrote to memory of 576	1348	AppLaunch.exe	iexplore.exe
PID 576 wrote to memory of 980	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 980	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 980	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 980	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 980	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 980	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 980	576	iexplore.exe	IEXPLORE.EXE
PID 1872 wrote to memory of 1628	1872	bootres.exe	SharedReg.exe
PID 1872 wrote to memory of 1628	1872	bootres.exe	SharedReg.exe
PID 1872 wrote to memory of 1628	1872	bootres.exe	SharedReg.exe
PID 1872 wrote to memory of 1628	1872	bootres.exe	SharedReg.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 1628 wrote to memory of 276	1628	SharedReg.exe	AppLaunch.exe
PID 576 wrote to memory of 1228	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 1228	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 1228	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 1228	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 1228	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 1228	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 1228	576	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe
"C:\Users\Admin\AppData\Local\Temp\8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:209939 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\SharedReg.exe
"C:\Users\Admin\AppData\Local\Temp\SharedReg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SharedReg.exe
Filesize
287KB

MD5
66d4d58fa5502e4b57eea77d7d71bcc0

SHA1
02cef59d341a49f405204df9464e77bab0decb2c

SHA256
8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e

SHA512
dbcada6297b1f02d032bcef3f42513fc8f1069f9eb3448824fe4436efadb02d9148d8adc6ff426f5d195d56e948ddfb5e0b3d1de306dc74658601f842c014cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SharedReg.exe
Filesize
287KB

MD5
66d4d58fa5502e4b57eea77d7d71bcc0

SHA1
02cef59d341a49f405204df9464e77bab0decb2c

SHA256
8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e

SHA512
dbcada6297b1f02d032bcef3f42513fc8f1069f9eb3448824fe4436efadb02d9148d8adc6ff426f5d195d56e948ddfb5e0b3d1de306dc74658601f842c014cd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DNTNGSCM.txt
Filesize
608B

MD5
9229b6d4716f4fcfc7b4b15daad7e4c3

SHA1
f476cab26c2140afff5276ac524ea5e6daf5c87e

SHA256
0e898bfefda4f355dfa69da11fd81752b6cb97b68212b694e447f7164618f771

SHA512
73ba818ec4f80c2dd1802d8f0eadac44d217441a36d8dfe0061116e6dc1bc81c53858846f7cba5563a73d90d6be5bfdc591fc53ed2115c305b5f44e67f5dcfc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe
Filesize
7KB

MD5
2e74010faa0b3cc0ff1dcff309da03b3

SHA1
a85388fc3bc465b67e3a5b0c1f2621954b5c62f8

SHA256
71bad58cb9a8cc79ca7d5d97b9e68eafff79c65832ca94e3f010b475151f2b50

SHA512
18984e9a9d8548d28793f865be88f377fb7439a73af06b1f18ed9af54e1e3bda98600effde306c1bc8c9300d839c3e58694e39587e42aa10e4f0db45d5653f08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe
Filesize
7KB

MD5
2e74010faa0b3cc0ff1dcff309da03b3

SHA1
a85388fc3bc465b67e3a5b0c1f2621954b5c62f8

SHA256
71bad58cb9a8cc79ca7d5d97b9e68eafff79c65832ca94e3f010b475151f2b50

SHA512
18984e9a9d8548d28793f865be88f377fb7439a73af06b1f18ed9af54e1e3bda98600effde306c1bc8c9300d839c3e58694e39587e42aa10e4f0db45d5653f08

Download Submit
\Users\Admin\AppData\Local\Temp\SharedReg.exe
Filesize
287KB

MD5
66d4d58fa5502e4b57eea77d7d71bcc0

SHA1
02cef59d341a49f405204df9464e77bab0decb2c

SHA256
8547092e1c3ac3d3021644212f6790a864896f716a7641b6f0db94f6ce432d8e

SHA512
dbcada6297b1f02d032bcef3f42513fc8f1069f9eb3448824fe4436efadb02d9148d8adc6ff426f5d195d56e948ddfb5e0b3d1de306dc74658601f842c014cd9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe
Filesize
7KB

MD5
2e74010faa0b3cc0ff1dcff309da03b3

SHA1
a85388fc3bc465b67e3a5b0c1f2621954b5c62f8

SHA256
71bad58cb9a8cc79ca7d5d97b9e68eafff79c65832ca94e3f010b475151f2b50

SHA512
18984e9a9d8548d28793f865be88f377fb7439a73af06b1f18ed9af54e1e3bda98600effde306c1bc8c9300d839c3e58694e39587e42aa10e4f0db45d5653f08

Download Submit
memory/276-87-0x000000000042C42E-mapping.dmp

Download
memory/1012-55-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-56-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1348-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1348-61-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1348-67-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1348-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1348-57-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1348-63-0x000000000042C42E-mapping.dmp

Download
memory/1348-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1348-58-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1628-77-0x0000000000000000-mapping.dmp

Download
memory/1628-80-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-94-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1872-70-0x0000000000000000-mapping.dmp

Download
memory/1872-93-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1872-74-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads